We are currently in the process of replacing some of our file servers with Active Directory joined Samba servers. However, during testing we have noticed behaviour that has caught us off guard.

Changes in user group membership in AD do not show up on our file servers. Specifically, changing a user's groups in AD won't affect group membership on the Samba server once the user has authenticated. Even killing their processes won't.

This is a problem, as once a client has established a connection to a share, it will keep access to the share even if group membership has long since been revoked.

It is my understanding that group membership is updated at authentication time and cached forever. Is there a way around this?

With "winbind cache time = 10" changes in group membership show up in `id` quickly _only_ as long as the user in question has no active session. Once they show up in `net status sessions` group membership sticks forever.

I am experiencing this behaviour with 4.5.8-Debian, but looking through the bugs this seems to be a recurring theme in all versions. Are there good workarounds?

        obey pam restrictions = yes

        netbios name = redacted
        workgroup = REDACTED
        security = ADS
        realm = REDACTED.DE
        log level = 0
        usershare max shares = 0
        usershare path = /dev/null

        vfs objects = acl_xattr
        map acl inherit = Yes
        store dos attributes = Yes
        inherit permissions = yes

        idmap config *:backend = tdb
        idmap config *:range =          1000 -  99999
        idmap config REDACTED:backend = rid
        idmap config REDACTED:range = 100000 - 500000
        template shell = /bin/bash
        template homedir = /home/%D/%U

        load printers = no
        printcap name = /dev/null

        winbind trusted domains only = no
        winbind use default domain = yes
        winbind enum users  = no
        winbind enum groups = no
        winbind refresh tickets = Yes
        winbind cache time = 10
        winbind offline Logon = true
        winbind expand groups = 3

